diff options
author | David Howells <dhowells@redhat.com> | 2012-05-11 05:56:56 -0400 |
---|---|---|
committer | David Howells <dhowells@redhat.com> | 2012-05-11 05:56:56 -0400 |
commit | f0894940aed13b21f363a411c7ec57358827ad87 (patch) | |
tree | 43b1fcfc6e9ff2912943b2b2789559b36e7a192d | |
parent | 45de6767dc51358a188f75dc4ad9dfddb7fb9480 (diff) |
KEYS: Move the key config into security/keys/Kconfig
Move the key config into security/keys/Kconfig as there are going to be a lot
of key-related options.
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Mimi Zohar <zohar@us.ibm.com>
-rw-r--r-- | security/Kconfig | 68 | ||||
-rw-r--r-- | security/keys/Kconfig | 71 |
2 files changed, 72 insertions, 67 deletions
diff --git a/security/Kconfig b/security/Kconfig index ccc61f8006b..e9c6ac724fe 100644 --- a/security/Kconfig +++ b/security/Kconfig | |||
@@ -4,73 +4,7 @@ | |||
4 | 4 | ||
5 | menu "Security options" | 5 | menu "Security options" |
6 | 6 | ||
7 | config KEYS | 7 | source security/keys/Kconfig |
8 | bool "Enable access key retention support" | ||
9 | help | ||
10 | This option provides support for retaining authentication tokens and | ||
11 | access keys in the kernel. | ||
12 | |||
13 | It also includes provision of methods by which such keys might be | ||
14 | associated with a process so that network filesystems, encryption | ||
15 | support and the like can find them. | ||
16 | |||
17 | Furthermore, a special type of key is available that acts as keyring: | ||
18 | a searchable sequence of keys. Each process is equipped with access | ||
19 | to five standard keyrings: UID-specific, GID-specific, session, | ||
20 | process and thread. | ||
21 | |||
22 | If you are unsure as to whether this is required, answer N. | ||
23 | |||
24 | config TRUSTED_KEYS | ||
25 | tristate "TRUSTED KEYS" | ||
26 | depends on KEYS && TCG_TPM | ||
27 | select CRYPTO | ||
28 | select CRYPTO_HMAC | ||
29 | select CRYPTO_SHA1 | ||
30 | help | ||
31 | This option provides support for creating, sealing, and unsealing | ||
32 | keys in the kernel. Trusted keys are random number symmetric keys, | ||
33 | generated and RSA-sealed by the TPM. The TPM only unseals the keys, | ||
34 | if the boot PCRs and other criteria match. Userspace will only ever | ||
35 | see encrypted blobs. | ||
36 | |||
37 | If you are unsure as to whether this is required, answer N. | ||
38 | |||
39 | config ENCRYPTED_KEYS | ||
40 | tristate "ENCRYPTED KEYS" | ||
41 | depends on KEYS | ||
42 | select CRYPTO | ||
43 | select CRYPTO_HMAC | ||
44 | select CRYPTO_AES | ||
45 | select CRYPTO_CBC | ||
46 | select CRYPTO_SHA256 | ||
47 | select CRYPTO_RNG | ||
48 | help | ||
49 | This option provides support for create/encrypting/decrypting keys | ||
50 | in the kernel. Encrypted keys are kernel generated random numbers, | ||
51 | which are encrypted/decrypted with a 'master' symmetric key. The | ||
52 | 'master' key can be either a trusted-key or user-key type. | ||
53 | Userspace only ever sees/stores encrypted blobs. | ||
54 | |||
55 | If you are unsure as to whether this is required, answer N. | ||
56 | |||
57 | config KEYS_DEBUG_PROC_KEYS | ||
58 | bool "Enable the /proc/keys file by which keys may be viewed" | ||
59 | depends on KEYS | ||
60 | help | ||
61 | This option turns on support for the /proc/keys file - through which | ||
62 | can be listed all the keys on the system that are viewable by the | ||
63 | reading process. | ||
64 | |||
65 | The only keys included in the list are those that grant View | ||
66 | permission to the reading process whether or not it possesses them. | ||
67 | Note that LSM security checks are still performed, and may further | ||
68 | filter out keys that the current process is not authorised to view. | ||
69 | |||
70 | Only key attributes are listed here; key payloads are not included in | ||
71 | the resulting table. | ||
72 | |||
73 | If you are unsure as to whether this is required, answer N. | ||
74 | 8 | ||
75 | config SECURITY_DMESG_RESTRICT | 9 | config SECURITY_DMESG_RESTRICT |
76 | bool "Restrict unprivileged access to the kernel syslog" | 10 | bool "Restrict unprivileged access to the kernel syslog" |
diff --git a/security/keys/Kconfig b/security/keys/Kconfig new file mode 100644 index 00000000000..a90d6d300db --- /dev/null +++ b/security/keys/Kconfig | |||
@@ -0,0 +1,71 @@ | |||
1 | # | ||
2 | # Key management configuration | ||
3 | # | ||
4 | |||
5 | config KEYS | ||
6 | bool "Enable access key retention support" | ||
7 | help | ||
8 | This option provides support for retaining authentication tokens and | ||
9 | access keys in the kernel. | ||
10 | |||
11 | It also includes provision of methods by which such keys might be | ||
12 | associated with a process so that network filesystems, encryption | ||
13 | support and the like can find them. | ||
14 | |||
15 | Furthermore, a special type of key is available that acts as keyring: | ||
16 | a searchable sequence of keys. Each process is equipped with access | ||
17 | to five standard keyrings: UID-specific, GID-specific, session, | ||
18 | process and thread. | ||
19 | |||
20 | If you are unsure as to whether this is required, answer N. | ||
21 | |||
22 | config TRUSTED_KEYS | ||
23 | tristate "TRUSTED KEYS" | ||
24 | depends on KEYS && TCG_TPM | ||
25 | select CRYPTO | ||
26 | select CRYPTO_HMAC | ||
27 | select CRYPTO_SHA1 | ||
28 | help | ||
29 | This option provides support for creating, sealing, and unsealing | ||
30 | keys in the kernel. Trusted keys are random number symmetric keys, | ||
31 | generated and RSA-sealed by the TPM. The TPM only unseals the keys, | ||
32 | if the boot PCRs and other criteria match. Userspace will only ever | ||
33 | see encrypted blobs. | ||
34 | |||
35 | If you are unsure as to whether this is required, answer N. | ||
36 | |||
37 | config ENCRYPTED_KEYS | ||
38 | tristate "ENCRYPTED KEYS" | ||
39 | depends on KEYS | ||
40 | select CRYPTO | ||
41 | select CRYPTO_HMAC | ||
42 | select CRYPTO_AES | ||
43 | select CRYPTO_CBC | ||
44 | select CRYPTO_SHA256 | ||
45 | select CRYPTO_RNG | ||
46 | help | ||
47 | This option provides support for create/encrypting/decrypting keys | ||
48 | in the kernel. Encrypted keys are kernel generated random numbers, | ||
49 | which are encrypted/decrypted with a 'master' symmetric key. The | ||
50 | 'master' key can be either a trusted-key or user-key type. | ||
51 | Userspace only ever sees/stores encrypted blobs. | ||
52 | |||
53 | If you are unsure as to whether this is required, answer N. | ||
54 | |||
55 | config KEYS_DEBUG_PROC_KEYS | ||
56 | bool "Enable the /proc/keys file by which keys may be viewed" | ||
57 | depends on KEYS | ||
58 | help | ||
59 | This option turns on support for the /proc/keys file - through which | ||
60 | can be listed all the keys on the system that are viewable by the | ||
61 | reading process. | ||
62 | |||
63 | The only keys included in the list are those that grant View | ||
64 | permission to the reading process whether or not it possesses them. | ||
65 | Note that LSM security checks are still performed, and may further | ||
66 | filter out keys that the current process is not authorised to view. | ||
67 | |||
68 | Only key attributes are listed here; key payloads are not included in | ||
69 | the resulting table. | ||
70 | |||
71 | If you are unsure as to whether this is required, answer N. | ||